CVE-2025-13930

MEDIUM

Checkout Field Manager for WooCommerce <=7.8.5 - Auth Bypass

Title source: llm

Description

The Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 7.8.5. This is due to the plugin not properly verifying that a user is authorized to delete an attachment combined with flawed guest order ownership validation. This makes it possible for unauthenticated attackers to delete attachments associated with guest orders using only the publicly available wooccm_upload nonce and attachment ID.

References (4)

Core 4

Core References

Product

https://plugins.trac.wordpress.org/browser/woocommerce-checkout-manager/tags/7.8.1/lib/class-upload.php#L114

Product

https://plugins.trac.wordpress.org/browser/woocommerce-checkout-manager/tags/7.8.1/lib/class-upload.php#L75

Product

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3440979%40woocommerce-checkout-manager&new=3440979%40woocommerce-checkout-manager&sfp_email=&sfph_mail=

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/33486414-6878-4b16-ae2d-00ec52fc2213?source=cve

Scores

CVSS v3 5.3

EPSS 0.0041

EPSS Percentile 32.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-862

Status published

Products (1)

quadlayers/Checkout Field Manager (Checkout Manager) for WooCommerce < 7.8.5

Published Feb 19, 2026

Tracked Since Feb 19, 2026